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PROFIUNG PROJECT 
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hat s CADA? 






"Supervisory Control 
And Data Acquisition”. 


It’s the monitoring branch of an automated 
infrastructure that decides “what to do” on the basis 
of “what is happening” (event driven). 
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It is reality since many years 


But market is migrating 


from proprietary, obscure and 
towards standard, documented and 


systems 

ones 
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Many SCADA infrastructures are for: 


Power and Nuclear plants. Gas, Oil, Water 

distribution. Transports 


but true life taught us that lack of communications 
crated more than huge incidents.. 
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Sector 

Energy and Utilities 

Communications and Information Technology 


Finance 


Health Care 


Sample Target Sub-sectors 

Electrical power (generation, transmission, nudear) 
Natural gas 

Oil production end transmission systems 

Telecommunications (phone, fax, cable, satellites) 

Broadcasting systems 

Software 

Hardware 

Networks (Internet) 

Banking 

Securities 

Investment 

Hospitals 

Heafth-care facilities 
Blood-supply facilities 
Laboratories 
Pharmaceuticafs 
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Food 


Sector 


Wkter 

Transportation 


Safety 


Sample Target Sub -sectors 

Food safety 

Agriculture and food industry 
Food distribution 
Drinking water 
Wastewater management 
Afr 
Rail 
Marine 
Surface 

Chemical biological radiological and nuclear safety 
Hazardous materials 
Search and rescue 

Emergency services (police, fire, ambulance and 

others) 

Dams 
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Sample Target Sub-sectors 





Sector 


Government 


Manufacturing 


Government facilities 

Government services (/or example meteorological 
services) 

Government information networks 
Government assets 

Key national symbols (cultural institutions and 
notional sites and monuments) 

Chemical industry 
Defence industrial base 
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Machine Interface (HMI) 


Terminal Unit (RTU) 
Programmable Logic Controller ( ) 

Communication 
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Enel is the biggest power distributor in Italy 
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H k a i 

A lot of presentations by SCADA people talk about 


* DefCon, BlackHats and similar events 

* on-line password and vulnerability databases 

* legacy IT tools implementing SCADA scanning/ 
testing/assessing features. . . 


It seems that the outside world is 
really worried about :) 
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echnology 
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D’OH ! 1 



18 


SCADA { )Security 


http:// .recursivajorg^ 




http:// recursiva.org/ 


ncidents 





“About 3:28 p.m.. Pacific daylight time, on June 10, 1999, a 16- 
inch-diameter steel pipeline owned by Olympic Pipe Line 
Company ruptured and released about 237,000 gallons of 
gasoline into a creek that flowed through Whatcom Falls Park 
in Bellingham, Washington. About 1.5 hours after the rupture, 
the gasoline ignited and burned approximately 1.5 miles along 
the creek. boys and an young man 

as a result of the accident. Eight additional injuries were 
documented. A single-family residence and the city of 
Bellingham is water treatment plant were severely damaged. As 
of January 2002, Olympic estimated that total property 
damages were at least $45 million." 
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mm 






T d 


"The Olympic Pipeline SCADA system consisted of 
Teledyne Brown Engineering20 SCADA Vector 
software, version 3.6. 1., running on Digital 

Equipment Corporation (DEC) VAX Model 4000-300 
computers with VMS operating system Version 7. 1 . In 
addition to the main SCADA computers 

(OLY0 I and 02), a similarly configured DEC Alpha 
300 computer running Alpha/VMS was used as a host 
for the Modisette Associates, Inc., pipeline 

leak detection system software package." 
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“5. the supervisory control and data acquisition 
(SCADA) system computers had remained 
responsive to the commands of the Olympic 
controllers, the controller operating the accident 
pipeline would have been able to initiate 

actions that would have the pressure 

increase that ruptured the pipeline." 


http://www.cob.org/press/pipeline/whatcomcreek.htm 
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echnical roblems 



SCADA systems need 


performance. 


Antivirus would performances enough to 

make the system useless or dangerous. 


Although SCADA systems are to viruses! 
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“In August 2003 Slammer infected a 
private computer network at the idled 
Davis-Besse nuclear power plant in Oak 
Harbor, Ohio, disabling a safety 
monitoring system for nearly five hours” 



NIST, Guide to SC AD A 
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Patching systems is a known in the IT world 


Changing anything is a in the SCADA world. 
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“Our service contractor 
provides us patches once a year.” 

CSO of a power distribution company 



SCADA { ) Security 


http:// .recursiva.org/ 


33 



P T 


PenTesting old, small, very simple, projected-to-be- 
isolated devices may lead to service 

The market is trying to provide a useful, but mainly 
“assured” method to assess SC ADA networks 
security. 

Although periodical security testing is a , and 
cannot be simply ignored. 
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“While a ping sweep was being performed on 
an active SCADA network that controlled 9- 
foot robotic arms, it was noticed that one arm 
became active and swung around 1 80 degrees. 
The controller for the arm was in standby 
mode before the ping sweep was initiated.” 



NIST, Guide to SCADA 
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Because of all these reasons, SC ADA networks 

be strongly protected from 
a perimeter point of view: 

VLANs, DMZs, filtering, content filtering, IDS... 
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endors 





Traffic in text 
data encryption 
authentication 
accounting 
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ustomers 



ustomer ive itness 

( disclosure agreement) 
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m 

IT and SCADA network 
(ho physical or logical separation) 
RAS/VPNs provide too much remote access 

configurations 
No backups at all 
No disaster recovery plan 
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eople... 













‘The power plant monitoring system was 
unresponsive. When emergency services 
arrived, they found the operator watching 
a DVD on the HMI system”. 



CSO of a power distribution company 
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DA Norman 
"The design of 
everyday things" 

ISBN BSM2IQi7l 
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Vitek Boden, in 2000, was , convicted and 

jailed because he released millions of liters of 
untreated sewage using his laptop. It 

happened in Maroochy Shire, Queensland, may be as 
a revenge against his last former employer. 


http://www.theregister.co.uk/200 1 / 1 0/3 1 /hacker Jailed_fbr_revenge_sewage/ 
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Thomas C. Reed* Ronald Regan's Secretary, described in his book “At the 
abyss” how the U.S. arranged for the Soviets to receive 
flawed SCADA software to manage their natural gas pipelines. 

'The pipeline software that was to run the pumps, turbines, and values 
was programmed to go haywire, after a decent Interval, to reset pump 
speeds and valve settings to produce pressures far beyond those 
acceptable to pipeline joints and welds." 

A 3 kiloton was the result, in 1 982 in Siberia. 


http^/www. themoscowtimes.ru/stories/2004/03/ 1 8/0 1 4.html 
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“Russian authorities revealed this week that 
Gazprom, a state-run gas utility, came under the 
control of hackers last year. [. . .] 

The report said hackers used a horse 

program, which stashes lines of harmful computer 
code in a benign- looking program.” 


http://findarticles.eom/p/articles/mi_qa3739/is_200403/ai_n9360 1 06 
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Lagos, Nigeria - “At least 40 people died because of 
fire injuries coming from a pipeline they were trying 
to open to steal petroleum.” 

[».] 

“One year ago more than 250 people died in the 
same circumstances near Lagos” 


http://news.bbc.co.Uk/2/hi/africa/6209845.stm 



SCADA ( ^Security 


http:// .recursivajorg^ 


52 




“On August 2007 Anti imperialist Team placed a 
complex and powerful home-made bomb at the 
pipeline in Vicenza, North of Italy, the one that take 
kerosene from the NATO base in Aviano to the 
Vicenza’s one”. 



http ‘Jfwvm. ansa, rt/ope ncms/export/s ite/noti zse/ru brie he/daassoci are/vfsual izza_ne w. himLI 27962764 , htm I 
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“The present state of security for SCADA is not 
commensurate with the threat or potential consequences. The 
industry has generated a large base of relatively 
systems, with chronic and pervasive vulnerabilities that have 
been observed during security assessments, 
applications of technology, informal security, and the fluid 

environment lead to unacceptable risk. [...] 
Security for SCADA is typically five to ten years typical 

information technology (IT) systems because of its historically 
stovepipe organization.” 

http://www.tswg.gov/tswg/ip/SustainableSecurity.pdf 
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SCADA security is at the same point IT 

security was 5 years ago. 

are to be understood, and a similar 
approach and security path has to be done 


Does any SCADA Security Standard? 
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B57799- IS027000 Information sec. management systems — Specification with glance for use 
I SO/I EC 1 7799:2005 Information Technology — Code of practice for information sec. management 
ANSl/lSA S.99. 1 Security for Manufacturing and Control Systems 

ANSl/lSA 5P99 TR2 Integrating Electronic Sec. into Manufacturing andl Control Systems Env. 

I SO/ 1 EC 1 5408 Common Criteria 

NIST System Protection Profile for Industrial Control Systems (SPP-ICS) 

CIDX Chemical Industry Data Exchange » Vulnerability Assessment Methodology (VAM) Guidance 
ISPE/GAMP4 — Good Automated Manufacturing Practices 

PCSF Process Control System Forum ; NERC standards ; AGA standards ; NISCC Guidelines 
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ISA 


ISO 

Traditional IT Manufactoring 

systems and Control System 

Confidentiality Availability 

I ntegrity I ntegr ity 

Availability Confidentiality 
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Critical Infrastructures Security Test & Analysis Lab 
was born in 2007 from some -working-on- 

security and often- -on-scada professionals, to 

inform the world about SCADA issues. 



http://cristal.recursiva.org/ 
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® with people, as many people as possible 
® exchanging related to SCADA security 

® perform more technical research 
® measure the SC ADA’s market security level 

® documents / white papers 
® write necessary tools 

® a FDL methodology to pentest SCADA 
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Technical 

Organizational 

Analysis 

Measurement 

Security Testing 

Education 

Hardening 

Ergonomics 
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/ released a paper for CLUSIT 

/ workshops at different events in Italy and Europe 

/ workshops for students at universities 

/ a first public case history, chosen among our 
available references and research partner 
companies 
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Airliquide.com (Cryogenics, Industrial and Medical Gas Distribution) 


Mil Mil (Healthcare) 
Mirato (Healthcare) 
Sovema (Manufacturing) 
Multiutility (Power & Gas) 
Sant Luis (Manufactoring) 
Others (NDA signed) 





------ 


written DA required 
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"... is the world committed with the 

manufacturing of battery making equipment ...” 

Established years ago 
average 30 MLN US Dollars saleslyear 
Italy: about 1 00 employees , 1 0.000 $q 
Offices in ,Asia and U.SA. 
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Sovema always used SIEMENS Profibus technologies 
then some customers for Ethernet 

and they implemented a solution... 
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A new test-bed 

A PLC with expansion card 
An operator panel 
alert about PLC operations 
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estbed 


ot>aJertCHi T 3 H</sc fipt> Home Page 


The 


P*9e at http://l92.168.1.1fi0 
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- always needed! 
nmap - let's meet ... 

nessus - just to be sure about stupid things :) 
wi reshark - do you feel the net inside yourself? :) 
scri pts/com mands/hacks/test/experience 
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Hi o P 

# rockwell-encap (44818/tcp) 

# http (80/tcp) 

# snmp (161 /udp) 

# rockwell-csp2 (2222/udp) 

# rockwell-encap (448 1 8/udp) 

No access to PLC functions trough HTTP or SNMP / 
No parameters can be changed trough HTTP / 

No HTTP authentication / Remote monitor via CIP 
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# rockwell-encap (44818/tcp) 

# streetperfect ( 1 330/tcp) 

# intersan (1331 /tcp) 

# netbios-ns ( 1 37/udp) 

Managed trough the display / Monitored via CIP by a HMI / 
Honours the source-route option / File server available 
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233 729,720345 192.163.1,161 192*188*1.160 CIP Get Attribute All 

Ether Net /IP [Industrial Protocol), Session: 0x0A02Q100, Send Unit Data 
^ Encapsulation Header 

Command: Send Unit Data (0x0070) 

Length: 23 

Session Handle: Dx0aQ20ico 

Status: Success (0*000130000) 

Sender Context: OOQOQOQOOOQOOOOQ 
C*>t i ons : Ox WOQOOOO 
Command Specific Data 

Interface Handle: CIP (OxQOQOOOOO) 

Timeout: 0 
\> item Count: 2 
Common Industrial Protocol 
^ Service: Get Attribute All (Request) 

0 = Request/ftesponse: Request [0x00} 

,000 0001 = Service: Get Attribute All (OxOL) 

Request Path size: 2 (words) 
v Request Path: identity object, instance: OxOL 
^ 8- Bit Logical Class Segment (0x20) 

Class: Identity Object (0x01) 

^ 3- Bit Logical Instance Segment (0x24) 


3040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

3050 00 00 OO 00 02 00 si 00 04 00 cl 00 3c 00 bl 00 ,...< 

3060 OS 00 01 00 OL 02 20 01 2E3 El 
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■* nmap -sV / -O 
m ping -f 
ping -s > 56200 
■* Traffic > 1 0 Mb/s 


All conditions that make both devices unresponsive 
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DoS: 

- ping -f, ping -s 56200, nmap -sV/-0 

WEBugs2.0: 

- xss, no auth, but no parameters to change 

Protocol: 

- cleartext, easily forgeable 

- snmp, but useless on SCADA, only IP 
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Very simple device (both HW&SW), very tailored: 


► very to DoS 

► some “silliness”, but nothing terrible 

► no huge bugs 

► emerged the need for tools ... 
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si more people 

s> release a periodic bulletin about market status 
s> write more tech&org articles/white papers 
s> create a pool of public case histories 
s> write some tools (i.e. CIP injector) 
s> release a PenTesting under FDL 
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/ into VLAN s/DMZs 

/ Firewall / Content Filtering / IDS 
/ Implement device redundancy 
/ Take care about physical security 
/ Update and documentation 
/ ... and apply policies 
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B P 


/ unused services 

/ Adopt AAA solutions 

/ encryption (i.e.VPN) 

/ Implement Quality of Service 

/ Use test-bed for simulations/security tests 

/ run security tests (with a declared and 

common methodology) 

B5 
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These -slides are wrfflan by AlsssJo l.R. Pennaslllco aka mayhem. They am subjected to Creative Commons Altributton- 
ShansAllka 2.5 version; youi can copy, modify, or sell them. Tlsase* cite your source and use the same Ice nee :) 
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